| Message ID | 20240702163336.75537-2-jose.quaresma@foundries.io |
|---|---|
| State | Superseded |
| Delegated to: | Steve Sakoman |
| Headers | show |
| Series | [kirkstone,v2] openssh: fix CVE-2024-6387 | expand |
Thank you for your submission. Patchtest identified one or more issues with the patch. Please see the log below for more information: --- Testing patch /home/patchtest/share/mboxes/kirkstone-v2-openssh-fix-CVE-2024-6387.patch FAIL: test Signed-off-by presence: A patch file has been added without a Signed-off-by tag: 'CVE-2024-6387.patch' (test_patch.TestPatch.test_signed_off_by_presence) PASS: test CVE tag format (test_patch.TestPatch.test_cve_tag_format) PASS: test Signed-off-by presence (test_mbox.TestMbox.test_signed_off_by_presence) PASS: test Upstream-Status presence (test_patch.TestPatch.test_upstream_status_presence_format) PASS: test author valid (test_mbox.TestMbox.test_author_valid) PASS: test commit message presence (test_mbox.TestMbox.test_commit_message_presence) PASS: test lic files chksum modified not mentioned (test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned) PASS: test max line length (test_metadata.TestMetadata.test_max_line_length) PASS: test mbox format (test_mbox.TestMbox.test_mbox_format) PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade) PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format) PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length) PASS: test target mailing list (test_mbox.TestMbox.test_target_mailing_list) SKIP: pretest pylint: No python related patches, skipping test (test_python_pylint.PyLint.pretest_pylint) SKIP: pretest src uri left files: Patch cannot be merged (test_metadata.TestMetadata.pretest_src_uri_left_files) SKIP: test CVE check ignore: No modified recipes or older target branch, skipping test (test_metadata.TestMetadata.test_cve_check_ignore) SKIP: test bugzilla entry format: No bug ID found (test_mbox.TestMbox.test_bugzilla_entry_format) SKIP: test lic files chksum presence: No added recipes, skipping test (test_metadata.TestMetadata.test_lic_files_chksum_presence) SKIP: test license presence: No added recipes, skipping test (test_metadata.TestMetadata.test_license_presence) SKIP: test pylint: No python related patches, skipping test (test_python_pylint.PyLint.test_pylint) SKIP: test series merge on head: Merge test is disabled for now (test_mbox.TestMbox.test_series_merge_on_head) SKIP: test src uri left files: Patch cannot be merged (test_metadata.TestMetadata.test_src_uri_left_files) SKIP: test summary presence: No added recipes, skipping test (test_metadata.TestMetadata.test_summary_presence) --- Please address the issues identified and submit a new revision of the patch, or alternatively, reply to this email with an explanation of why the patch should be accepted. If you believe these results are due to an error in patchtest, please submit a bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category under 'Yocto Project Subprojects'). For more information on specific failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank you!
On Tue, 2 Jul 2024 at 17:34, Jose Quaresma via lists.openembedded.org <quaresma.jose=gmail.com@lists.openembedded.org> wrote: > > sshd(8) in Portable OpenSSH versions 8.5p1 to 9.7p1 (inclusive). > Race condition resulting in potential remote code execution. > A race condition in sshd(8) could allow remote code execution as root on non-OpenBSD systems. > This attack could be prevented by disabling the login grace timeout (LoginGraceTime=0 in sshd_config) > though this makes denial-of service against sshd(8) considerably easier. > For more information, please refer to the release notes [1] and the > report from the Qualys Security Advisory Team [2] who discovered the bug. Wouldn't it be better to use the much cleaner fix from openssh-portable: https://github.com/openssh/openssh-portable/commit/b00331402fe5c60d577f3ffcc35e49286cdc6b47 I realise that most of the distros seem to have copied the same early patch but I assume that was to get the fix done prior to public exposure. As there's a proper fix isn't that better? Matthew
Hi Matthew, Matthew Bullock <mbullock@thegoodpenguin.co.uk> escreveu (terça, 2/07/2024 à(s) 18:00): > On Tue, 2 Jul 2024 at 17:34, Jose Quaresma via lists.openembedded.org > <quaresma.jose=gmail.com@lists.openembedded.org> wrote: > > > > sshd(8) in Portable OpenSSH versions 8.5p1 to 9.7p1 (inclusive). > > Race condition resulting in potential remote code execution. > > A race condition in sshd(8) could allow remote code execution as root on > non-OpenBSD systems. > > This attack could be prevented by disabling the login grace timeout > (LoginGraceTime=0 in sshd_config) > > though this makes denial-of service against sshd(8) considerably easier. > > For more information, please refer to the release notes [1] and the > > report from the Qualys Security Advisory Team [2] who discovered the bug. > > Wouldn't it be better to use the much cleaner fix from openssh-portable: > > https://github.com/openssh/openssh-portable/commit/b00331402fe5c60d577f3ffcc35e49286cdc6b47 > > I realise that most of the distros seem to have copied the same early > patch but I assume that was to get the fix done prior to public > exposure. As there's a proper fix isn't that better? > > Matthew > On the regression report [1] the suggested way to fix this is this one as you can see below: [1] https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt ======================================================================== Patches and mitigation ======================================================================== Because this fix is part of a large commit (81c1099), on top of an even larger defense-in-depth commit (03e3de4, "Start the process of splitting sshd into separate binaries"), it might prove difficult to backport. In that case, the signal handler race condition itself can be fixed by removing or commenting out the async-signal-unsafe code from the sshsigdie() function; for example: ------------------------------------------------------------------------ sshsigdie(const char *file, const char *func, int line, int showfunc, LogLevel level, const char *suffix, const char *fmt, ...) { #if 0 va_list args; va_start(args, fmt); sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL, suffix, fmt, args); va_end(args); #endif _exit(1); } ------------------------------------------------------------------------ Jose
On Tue, Jul 2, 2024 at 10:15 AM Jose Quaresma via lists.openembedded.org <quaresma.jose=gmail.com@lists.openembedded.org> wrote: > > Hi Matthew, > > Matthew Bullock <mbullock@thegoodpenguin.co.uk> escreveu (terça, 2/07/2024 à(s) 18:00): >> >> On Tue, 2 Jul 2024 at 17:34, Jose Quaresma via lists.openembedded.org >> <quaresma.jose=gmail.com@lists.openembedded.org> wrote: >> > >> > sshd(8) in Portable OpenSSH versions 8.5p1 to 9.7p1 (inclusive). >> > Race condition resulting in potential remote code execution. >> > A race condition in sshd(8) could allow remote code execution as root on non-OpenBSD systems. >> > This attack could be prevented by disabling the login grace timeout (LoginGraceTime=0 in sshd_config) >> > though this makes denial-of service against sshd(8) considerably easier. >> > For more information, please refer to the release notes [1] and the >> > report from the Qualys Security Advisory Team [2] who discovered the bug. >> >> Wouldn't it be better to use the much cleaner fix from openssh-portable: >> https://github.com/openssh/openssh-portable/commit/b00331402fe5c60d577f3ffcc35e49286cdc6b47 >> >> I realise that most of the distros seem to have copied the same early >> patch but I assume that was to get the fix done prior to public >> exposure. As there's a proper fix isn't that better? >> >> Matthew > > > On the regression report [1] the suggested way to fix this is this one as you can see below: > [1] https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt > > ======================================================================== > > Patches and mitigation > > ======================================================================== > > Because this fix is part of a large commit (81c1099), on top of an even > larger defense-in-depth commit (03e3de4, "Start the process of splitting > sshd into separate binaries"), it might prove difficult to backport. In Thanks for this additional explanation. You can disregard my previous request for a V2 on the scarthgap version since there is no upstream commit! Steve > that case, the signal handler race condition itself can be fixed by > removing or commenting out the async-signal-unsafe code from the > sshsigdie() function; for example: > > ------------------------------------------------------------------------ > sshsigdie(const char *file, const char *func, int line, int showfunc, > LogLevel level, const char *suffix, const char *fmt, ...) > { > #if 0 > va_list args; > > va_start(args, fmt); > sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL, > suffix, fmt, args); > va_end(args); > #endif > _exit(1); > } > ------------------------------------------------------------------------ > > > Jose > > -- > Best regards, > > José Quaresma > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#201441): https://lists.openembedded.org/g/openembedded-core/message/201441 > Mute This Topic: https://lists.openembedded.org/mt/107003224/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Steve Sakoman <steve@sakoman.com> escreveu (quarta, 3/07/2024 à(s) 14:41): > On Tue, Jul 2, 2024 at 10:15 AM Jose Quaresma via > lists.openembedded.org > <quaresma.jose=gmail.com@lists.openembedded.org> wrote: > > > > Hi Matthew, > > > > Matthew Bullock <mbullock@thegoodpenguin.co.uk> escreveu (terça, > 2/07/2024 à(s) 18:00): > >> > >> On Tue, 2 Jul 2024 at 17:34, Jose Quaresma via lists.openembedded.org > >> <quaresma.jose=gmail.com@lists.openembedded.org> wrote: > >> > > >> > sshd(8) in Portable OpenSSH versions 8.5p1 to 9.7p1 (inclusive). > >> > Race condition resulting in potential remote code execution. > >> > A race condition in sshd(8) could allow remote code execution as root > on non-OpenBSD systems. > >> > This attack could be prevented by disabling the login grace timeout > (LoginGraceTime=0 in sshd_config) > >> > though this makes denial-of service against sshd(8) considerably > easier. > >> > For more information, please refer to the release notes [1] and the > >> > report from the Qualys Security Advisory Team [2] who discovered the > bug. > >> > >> Wouldn't it be better to use the much cleaner fix from openssh-portable: > >> > https://github.com/openssh/openssh-portable/commit/b00331402fe5c60d577f3ffcc35e49286cdc6b47 > >> > >> I realise that most of the distros seem to have copied the same early > >> patch but I assume that was to get the fix done prior to public > >> exposure. As there's a proper fix isn't that better? > >> > >> Matthew > > > > > > On the regression report [1] the suggested way to fix this is this one > as you can see below: > > [1] https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt > > > > ======================================================================== > > > > Patches and mitigation > > > > ======================================================================== > > > > Because this fix is part of a large commit (81c1099), on top of an even > > larger defense-in-depth commit (03e3de4, "Start the process of splitting > > sshd into separate binaries"), it might prove difficult to backport. In > > Thanks for this additional explanation. You can disregard my previous > request for a V2 on the scarthgap version since there is no upstream > commit! > > Steve > Got it. I only saw this message after replying to the other scarthgap versio. Jose > > > that case, the signal handler race condition itself can be fixed by > > removing or commenting out the async-signal-unsafe code from the > > sshsigdie() function; for example: > > > > ------------------------------------------------------------------------ > > sshsigdie(const char *file, const char *func, int line, int showfunc, > > LogLevel level, const char *suffix, const char *fmt, ...) > > { > > #if 0 > > va_list args; > > > > va_start(args, fmt); > > sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL, > > suffix, fmt, args); > > va_end(args); > > #endif > > _exit(1); > > } > > ------------------------------------------------------------------------ > > > > > > Jose > > > > -- > > Best regards, > > > > José Quaresma > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#201441): > https://lists.openembedded.org/g/openembedded-core/message/201441 > > Mute This Topic: https://lists.openembedded.org/mt/107003224/3620601 > > Group Owner: openembedded-core+owner@lists.openembedded.org > > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > steve@sakoman.com] > > -=-=-=-=-=-=-=-=-=-=-=- > > >
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch new file mode 100644 index 0000000000..9f8f6881e7 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch @@ -0,0 +1,25 @@ +Description: fix signal handler race condition +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2070497 + +CVE: CVE-2024-6387 + +Upstream-Status: Backport +https://git.launchpad.net/ubuntu/+source/openssh/commit/?h=applied/ubuntu/jammy-devel&id=b059bcfa928df4ff2d103ae2e8f4e3136ee03efc + +--- a/log.c ++++ b/log.c +@@ -452,12 +452,14 @@ void + sshsigdie(const char *file, const char *func, int line, int showfunc, + LogLevel level, const char *suffix, const char *fmt, ...) + { ++#if 0 + va_list args; + + va_start(args, fmt); + sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL, + suffix, fmt, args); + va_end(args); ++#endif + _exit(1); + } + diff --git a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb index 6411a64eff..d2c477a062 100644 --- a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb @@ -36,6 +36,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://CVE-2023-48795.patch \ file://CVE-2023-51384.patch \ file://CVE-2023-51385.patch \ + file://CVE-2024-6387.patch \ " SRC_URI[sha256sum] = "fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7"
sshd(8) in Portable OpenSSH versions 8.5p1 to 9.7p1 (inclusive). Race condition resulting in potential remote code execution. A race condition in sshd(8) could allow remote code execution as root on non-OpenBSD systems. This attack could be prevented by disabling the login grace timeout (LoginGraceTime=0 in sshd_config) though this makes denial-of service against sshd(8) considerably easier. For more information, please refer to the release notes [1] and the report from the Qualys Security Advisory Team [2] who discovered the bug. [1] https://www.openssh.com/txt/release-9.8 [2] https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt References: https://www.openssh.com/security.html Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> --- v2: include the missing cve tag: CVE: CVE-2024-6387 .../openssh/openssh/CVE-2024-6387.patch | 25 +++++++++++++++++++ .../openssh/openssh_8.9p1.bb | 1 + 2 files changed, 26 insertions(+) create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch